Convert legacy password storage without aggravating your users

In a previous post I wrote about storing password hashes in a database, which raises the question of how to convert an existing legacy password storage system to use hashes (or even no passwords!) without annoying the people who use your system.

Dial ‘S’ for Secret

Let’s assume that you have inherited a database which stores passwords in cleartext in a column called Password. This is not a good scenario. For one thing, it is a temptation to access information we wouldn’t normally have access to, by using that person’s credentials. For another, due to a human trait called “using a computer,” people reuse passwords all the time. I do it myself and I’m writing a post about security (out of 1,089 items in my 1Password vault, 82 items contain reused passwords).

Maybe these credentials work in different places, like a Netflix or Amazon Prime account. Or how about an online bank account? This is known as credential stuffing, and is very illegal, even though it happens repeatedly.

Don’t annoy the users

The easiest thing to do would be to implement a new hashing algorithm (with a random salt), kick out all users who are signed in, and force them to change their passwords when they try to sign in again. This is the most secure, but it is incredibly annoying.

Another possibility would be to implement a new hashing algorithm (with a random salt), send an email to all users telling them that they are required to change their passwords when they try to sign in again, and then force them to do so. This is slightly less annoying than the first suggestion, but it is still incredibly annoying.

A third possibility would be to implement a new hashing algorithm (with a random salt), send an email to all users telling them that they are required to change their passwords as soon as possible, but allow them to connect with their old passwords first before prompting them to change it the next time they are signed in. This is less annoying because you have notified them by email, and they are permitted to sign in first.

A fourth possibility would be to implement a new hashing algorithm (with a random salt), send an email to all users explaining that their passwords will need to change, with a link in the email to reset their passwords. This is the least annoying of the four options thus far, because the email is a call-to-action. In other words, you are telling them that there is a problem, and you’re giving them an action to perform to remedy the problem.

We could remove passwords entirely, by relying on a concept called Single Sign-On (SSO), where a third-party system provides an authentication token that proves who the user is. We’ve seen this kind of thing with Facebook and Google buttons on websites. We would still have to store a token, but this is far more secure than storing a password or password hash (with a random salt).

I’m sure you have some ideas of how to do this as well, so let’s hear them in the comments.

There is another option that annoys users less by making it transparent. Basically, a hybrid approach. The application will examine the stored password to determine its hashing method. If it is the old hashing method, then use the old method to determine the password submitted is correct. If correct, then hash the submitted password with the new hashing method and store. Eventually, all passwords will be updated to the new hashing method.

This method assumes you can accept the risk of the old hashes for the period of time it takes for all users to logon. If you have maximum password ages, this limits this duration. Any accounts beyond this limit are likely no longer valid users. An audit should follow to validate if these account should continue to exist.

Randolph West is a Microsoft Data Platform MVP, and has worked with SQL Server since the late 1990s. When not consulting, you can see them acting on the stage and screen, or doing voices for independent video games. Also available for mentoring, talks on SQL Server and technology in general, Randolph offers training for junior DBAs. Connect with Randolph on Twitter. Buy their book on Amazon.